add support for overriding IKE dh group (#251506, <stijn.tintel@x-tend.be>)

2 files changed, 6 insertions, 4 deletions

diff --git a/sysconfig.txt b/sysconfig.txt
index 19d329b3..0be8a84c 100644
--- a/sysconfig.txt
+++ b/sysconfig.txt
@@ -858,10 +858,11 @@ Files in /etc/sysconfig/network-scripts/
 
    Automatic keying:
 
+     IKE_DHGROUP=<number> (defaults to 2)
      IKE_METHOD=PSK|X509|GSSAPI
          PSK=preshared keys (shared secret)
          X509=X.509 certificates
-         GSSAPI=GSSAPI authentication
+         GSSPI=GSSAPI authentication
      IKE_PSK=preshared key for this connection
      IKE_CERTFILE=our certificate file name for X509 IKE
        IKE_PEER_CERTFILE=peer public cert filename for X509 IKE
diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec
index fc650daf..caef52d0 100755
--- a/sysconfig/network-scripts/ifup-ipsec
+++ b/sysconfig/network-scripts/ifup-ipsec
@@ -102,6 +102,7 @@ if [ "$KEYING" = "manual" ]; then
     [ -n "$KEY_ESP_IN" ] && SPD_ESP_IN=yes
     [ -n "$KEY_ESP_OUT" ] && SPD_ESP_OUT=yes
 else
+    [ -z "$IKE_DHGROUP" ] && IKE_DH=2
     [ -z "$AH_PROTO" ] && AH_PROTO=sha1
     [ -z "$ESP_PROTO" ] && ESP_PROTO=3des
 
@@ -187,7 +188,7 @@ EOF
 	        encryption_algorithm $ESP_PROTO;
 		hash_algorithm $AH_PROTO;
 		authentication_method pre_shared_key;
-		dh_group 2 ;
+		dh_group $IKE_DHGROUP;
 	}
 }
 EOF
@@ -209,7 +210,7 @@ EOF
 		encryption_algorithm $ESP_PROTO;
 		hash_algorithm $AH_PROTO;
 		authentication_method rsasig;
-		dh_group 2;
+		dh_group $IKE_DHGROUP;
 	}
 }
 EOF
@@ -221,7 +222,7 @@ EOF
 	        encryption_algorithm $ESP_PROTO;
 		hash_algorithm $AH_PROTO;
 		authentication_method gssapi_krb;
-		dh_group 2 ;
+		dh_group $IKE_DHGROUP;
 	}
 }
 EOF